Uploading a New Key to Google Cloud
Use the post /v1/cckm/google/upload-key
API to create a new key on a key source (CipherTrust Manager, DSM, or Luna HSM) and upload it to Google Cloud.
Syntax
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authorization token. |
gcp_key_params | JSON | Parameters to specify properties of the Google Cloud key. Refer to Google Cloud Key Parameters for details. |
key_ring | string | ID or resource URL of the Google Cloud key ring where the key is to be created. |
source_key_id | string | ID of the key that will be uploaded from a key source. |
source_key_tier | string | Key source from where the key will be uploaded. The key source can be: • local for CipherTrust Manager (default)• dsm for Data Security Manager (DSM)• hsm-luna for Luna HSM (FM-enabled Luna HSM is not supported as a key source)• external-cm for external CipherTrust Manager |
Google Key Parameters
Parameter | Type | Description |
---|---|---|
algorithm | string | Algorithm for the Google Cloud key. The supported algorithms are: • RSA_SIGN_PSS_2048_SHA256 • RSA_SIGN_PSS_3072_SHA256 • RSA_SIGN_PSS_4096_SHA256 • RSA_SIGN_PSS_4096_SHA512 • RSA_SIGN_PKCS1_2048_SHA256 • RSA_SIGN_PKCS1_3072_SHA256 • RSA_SIGN_PKCS1_4096_SHA256 • RSA_SIGN_PKCS1_4096_SHA512 • RSA_DECRYPT_OAEP_2048_SHA256 • RSA_DECRYPT_OAEP_3072_SHA256 • RSA_DECRYPT_OAEP_4096_SHA256 • RSA_DECRYPT_OAEP_4096_SHA512 • EC_SIGN_P256_SHA256 • EC_SIGN_P384_SHA384 • GOOGLE_SYMMETRIC_ENCRYPTION • HMAC_SHA256 |
key_name | string | Name for the Google Cloud key. |
protection_level | string | Protection level for the Google Cloud key. The options are: • SOFTWARE • HSM |
purpose | string | Purpose of the Google Cloud key. A key purpose specifies the operation that the key can be used to perform. The options are: • ASYMMETRIC_SIGN (for asymmetric keys) • ASYMMETRIC_DECRYPT (for asymmetric keys) • ENCRYPT_DECRYPT (for symmetric keys) • MAC (for symmetric keys) Refer to Key purposes and algorithms for details. |
labels | string of JSON | Labels (tags) attached to the Google Cloud key in the form of key-value JSON pairs, for example, "isakey": "yes" . For Google label requirements, refer to [Labeling keys |
next_rotation_time | string | Time when the Google Cloud key will be automatically rotated by Google Cloud KMS (symmetric key only). The time must be in the RFC3339 format, for example, "2022-07-31T17:18:37.085Z" . |
rotation_period | string | (Symmetric keys only) Frequency at which the Google Cloud key will be automatically rotated by Google Cloud KMS. The frequency must be in the format "<duration>s" , that is, duration in seconds terminated by s , for example, "360000s" . |
import_only | boolean | Whether to restrict key versions to import only. If set to true , new key versions can only be imported. The default value is false . |
destroy_scheduled_duration | string | The time that a schedule takes to destroy the Google Cloud key. The time must be in the format "<duration>s" , that is, duration in seconds terminated by s , for example, "360000s" . |
Example Request
Example Response
The sample output displays that a new Google Cloud key with the ID 673c28bf-0b71-4473-bf90-a431e019df20
is created and its upload is in "IN_PROGRESS"
.
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.